soc/amd/common/block/psp: Add platform secure boot support

Add Platform Secure Boot (PSB) enablement via the PSP if it is not
already enabled. Upon receiving psb command, PSP will program PSB fuses
as long as BIOS signing key token is valid.
Refer AMD PSB user guide doc# 56654, Revision# 1.00, this document is
only available with NDA customers.

Change-Id: I30aac29a22a5800d5995a78c50fdecd660a3d4eb
Signed-off-by: Ritul Guru <ritul.bits@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/60968
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
This commit is contained in:
Ritul Guru 2022-01-10 18:44:24 +05:30 committed by Felix Held
parent 5481eb3c2e
commit 8da3804430
5 changed files with 176 additions and 2 deletions

View File

@ -44,3 +44,15 @@ config SOC_AMD_COMMON_BLOCK_PSP_FUSE_SPL
help
Enable sending of set SPL message to PSP. Enable this option if the platform
will require SPL fusing to be performed by PSP.
config PSP_PLATFORM_SECURE_BOOT
bool "Platform secure boot enable"
depends on SOC_AMD_COMMON_BLOCK_PSP_GEN2
default n
help
Select this config to enable PSP Platform Secure Boot.
Platform Secure Boot will automatically be fused on boot if the
coreboot ROM is properly signed and can not be disabled once fused.
Refer AMD PSB user guide doc# 56654, Revision# 1.00, this document is
only available with NDA customers.

View File

@ -27,6 +27,8 @@ ifeq ($(CONFIG_SOC_AMD_COMMON_BLOCK_PSP_GEN2),y)
romstage-y += psp_gen2.c
ramstage-y += psp_gen2.c
ramstage-$(CONFIG_PSP_PLATFORM_SECURE_BOOT) += psb.c
smm-y += psp_gen2.c
smm-y += psp_smm_gen2.c

View File

@ -0,0 +1,159 @@
/* SPDX-License-Identifier: GPL-2.0-only */
#include <arch/mmio.h>
#include <bootstate.h>
#include <amdblocks/reset.h>
#include <console/console.h>
#include <cpu/amd/msr.h>
#include <types.h>
#include "psp_def.h"
#define PSB_STATUS_OFFSET 0x10994
#define FUSE_PLATFORM_SECURE_BOOT_EN BIT(24)
#define PSB_TEST_STATUS_MASK 0xff
#define PSB_FUSING_READY_MASK BIT(8)
/* PSB Test Status and Error Codes (doc#56654) */
#define PSB_TEST_STATUS_PASS 0x00
#define PSB_TEST_STATUS_FUSE_READ_ERR 0x3e
#define PSB_TEST_STATUS_BIOS_KEY_BAD_USAGE 0x81
#define PSB_TEST_STATUS_BIOS_RTM_SIG_NOENT 0x82
#define PSB_TEST_STATUS_BIOS_RTM_COPY_ERR 0x83
#define PSB_TEST_STATUS_BIOS_RTM_BAD_SIG 0x84
#define PSB_TEST_STATUS_BIOS_KEY_BAD_SIG 0x85
#define PSB_TEST_STATUS_PLATFORM_BAD_ID 0x86
#define PSB_TEST_STATUS_BIOS_COPY_BIT_UNSET 0x87
#define PSB_TEST_STATUS_BIOS_CA_BAD_SIG 0x8a
#define PSB_TEST_STATUS_BIOS_CA_BAD_USAGE 0x8b
#define PSB_TEST_STATUS_BIOS_KEY_BAD_REVISION 0x8c
#define FUSE_STATUS_SUCCESS 0x00
#define FUSE_STATUS_NOT_ALLOWED 0x09
#define FUSE_STATUS_FUSING_ERR 0x0a
#define FUSE_STATUS_BOOT_DONE 0x0b
static const char *psb_test_status_to_string(u32 status)
{
switch (status) {
case PSB_TEST_STATUS_PASS:
return "Psb Test Status PASS";
case PSB_TEST_STATUS_FUSE_READ_ERR:
return "Error reading fuse info";
case PSB_TEST_STATUS_BIOS_KEY_BAD_USAGE:
return "OEM BIOS signing key usage flag violation";
case PSB_TEST_STATUS_BIOS_RTM_SIG_NOENT:
return "BIOS RTM signature entry not found";
case PSB_TEST_STATUS_BIOS_RTM_COPY_ERR:
return "BIOS copy to DRAM failed";
case PSB_TEST_STATUS_BIOS_RTM_BAD_SIG:
return "BIOS RTM signature verification failed";
case PSB_TEST_STATUS_BIOS_KEY_BAD_SIG:
return "OEM BIOS signing key failed signature verification";
case PSB_TEST_STATUS_PLATFORM_BAD_ID:
return "Platform vendor id and/or model id binding violation";
case PSB_TEST_STATUS_BIOS_COPY_BIT_UNSET:
return "BIOS copy bit unset for reset image";
case PSB_TEST_STATUS_BIOS_CA_BAD_SIG:
return "OEM BIOS signing CA key failed signature verification";
case PSB_TEST_STATUS_BIOS_CA_BAD_USAGE:
return "OEM BIOS signing CA key usage flag violation";
case PSB_TEST_STATUS_BIOS_KEY_BAD_REVISION:
return "OEM BIOS signing key revision violation";
default:
return "Unknown failure";
}
}
static const char *fuse_status_to_string(u32 status)
{
switch (status) {
case FUSE_STATUS_SUCCESS:
return "PSB Fusing completed successfully";
case FUSE_STATUS_NOT_ALLOWED:
return "Fusing not allowed or already done";
case FUSE_STATUS_FUSING_ERR:
return "Fuse programming failed";
case FUSE_STATUS_BOOT_DONE:
return "Issued after BOOT DONE";
default:
return "Unknown failure";
}
}
static uint32_t get_psb_status(void)
{
return smn_read32(SMN_PSP_PUBLIC_BASE + PSB_STATUS_OFFSET);
}
/*
* Request Platform Secure Boot enablement via the PSP if it is not already
* enabled. Upon receiving this command, the PSP will program all PSB fuses
* so long as the BIOS signing key token is valid.
*/
static enum cb_err psb_enable(void)
{
u32 status;
struct mbox_default_buffer buffer = {
.header = {
.size = sizeof(buffer)
}
};
status = get_psb_status();
printk(BIOS_INFO, "PSB: Status = %x\n", status);
if (status & FUSE_PLATFORM_SECURE_BOOT_EN) {
printk(BIOS_DEBUG, "PSB: Already enabled\n");
return CB_SUCCESS;
}
status = soc_read_c2p38();
printk(BIOS_INFO, "PSB: HSTI = %x\n", status);
const u32 psb_test_status = status & PSB_TEST_STATUS_MASK;
if (psb_test_status != PSB_TEST_STATUS_PASS) {
printk(BIOS_ERR, "PSB: %s\n", psb_test_status_to_string(psb_test_status));
return CB_ERR;
}
if (!(status & PSB_FUSING_READY_MASK)) {
printk(BIOS_ERR, "PSB: Fusing not allowed\n");
return CB_ERR;
}
printk(BIOS_DEBUG, "PSB: Enable... ");
const int cmd_status = send_psp_command(MBOX_BIOS_CMD_PSB_AUTO_FUSING, &buffer);
psp_print_cmd_status(cmd_status, &buffer.header);
if (cmd_status) {
printk(BIOS_ERR, "PSB: Fusing request failed: %d\n", cmd_status);
return CB_ERR;
}
const u32 fuse_status = read32(&buffer.header.status);
if (fuse_status != FUSE_STATUS_SUCCESS) {
printk(BIOS_ERR, "PSB: %s\n", fuse_status_to_string(fuse_status));
return CB_ERR;
}
printk(BIOS_NOTICE, "PSB: Rebooting\n");
cold_reset();
}
static void enable_secure_boot(void *unused)
{
/*
* Enable secure boot before loading payload. Psb fusing is done late in
* boot process to avoid any fuse access conflicts with other components
* which happens during boot process.
*/
if (psb_enable() == CB_ERR)
printk(BIOS_NOTICE, "Enabling PSB failed.\n");
}
BOOT_STATE_INIT_ENTRY(BS_PAYLOAD_LOAD, BS_ON_ENTRY, enable_secure_boot, NULL);

View File

@ -17,6 +17,7 @@
#define MBOX_BIOS_CMD_CLEAR_S3_STS 0x07
#define MBOX_BIOS_CMD_S3_DATA_INFO 0x08
#define MBOX_BIOS_CMD_NOP 0x09
#define MBOX_BIOS_CMD_PSB_AUTO_FUSING 0x21
#define MBOX_BIOS_CMD_SET_SPL_FUSE 0x2d
#define MBOX_BIOS_CMD_QUERY_SPL_FUSE 0x47
#define MBOX_BIOS_CMD_ABORT 0xfe
@ -26,6 +27,8 @@
#define MBOX_BIOS_CMD_SMU_FW 0x19
#define MBOX_BIOS_CMD_SMU_FW2 0x1a
#define SMN_PSP_PUBLIC_BASE 0x3800000
/* command/response format, BIOS builds this in memory
* mbox_buffer_header: generic header
* mbox_buffer: command-specific buffer format

View File

@ -7,8 +7,6 @@
#include <amdblocks/smn.h>
#include "psp_def.h"
#define SMN_PSP_PUBLIC_BASE 0x3800000
#define PSP_MAILBOX_COMMAND_OFFSET 0x10570 /* 4 bytes */
#define PSP_MAILBOX_BUFFER_L_OFFSET 0x10574 /* 4 bytes */
#define PSP_MAILBOX_BUFFER_H_OFFSET 0x10578 /* 4 bytes */